[Dovecot] LDAP and GSSAPI problems

Jason Gunthorpe jgunthorpe at obsidianresearch.com
Sun Feb 6 03:35:18 EET 2011 

On Fri, Feb 04, 2011 at 12:57:11PM -0700, Trever L. Adams wrote:
> On 02/02/2011 04:17 PM, Timo Sirainen wrote:
> >
> > It does set that, but only on first GSSAPI authentication. I guess it
> > wouldn't hurt moving it to do it always. If that script helps you, I can
> > do this change.
> It appears that the script you recommended doesn't do the trick. Does
> /usr/libexec/dovecot/auth clear the environment. Even doing it manually
> from the command line the openldap stuff doesn't seem to pick up the
> KRB5_KTNAME environment variable.

Isn't it called KRB5CCNAME?

Ie if you are using a AD type environment then I think the only way
this can work is if you do these steps:

# JGGL is the name of your machine in AD klist -k should tell
# you what it is, and you must have samba setup properly, the
# machine joined, and samba must be set to write the system keytab.
# See 'net ads keytab'
$ KRB5CCNAME="/tmp/machine" kinit -k JGGL$

$ KRB5CCNAME="/tmp/machine" klist         
Ticket cache: FILE:/tmp/machine
Default principal: JGGL$@ADS.ORCORP.CA

Valid starting     Expires            Service principal
02/05/11 18:26:34  02/06/11 04:26:34
krbtgt/ADS.ORCORP.CA at ADS.ORCORP.CA
        renew until 02/12/11 18:26:34
$ KRB5CCNAME="/tmp/machine" ldapsearch
uid=jgg
SASL/GSSAPI authentication started
SASL username: JGGL$@ADS.ORCORP.CA
SASL SSF: 56
SASL data security layer installed.
[..]

Presumably if dovecot has SASL setup properly for Openldap then it
will work just fine if KRB5CCNAME is properly exported to it.

However! Be aware that the TGT must be refreshed periodically, that
is just how kerberos works.

> I can kinit on the command line and get auth to work, but the kinit
> doesn't hold over to the dovecot process (for good reasons I am sure).

Maybe dovecot isn't enabling SASL for openldap?

eg the python wrappers for openldap require this sequence:

conn = ldap.initialize(server);
auth_tokens = ldap.sasl.gssapi();
conn.sasl_interactive_bind_s("",auth_tokens);

Before they attempt gssapi - so this will also be true for the C
version.

The *ideal* world would be if dovecot supported an in-memory ticket
cache that it stored a TGT for a given UPN that it initializes using a
given keytab. This is what samba does internally and realistically is
required to use kerberos as a client.

IMHO, doing ldap without kerb is kinda sketchy unless you completely
trust your network - it is easy to spoof ldap replies, kerb fixes
that and has low overhead compared to ssl.

Jason

More information about the dovecot mailing list